Splunk Search

Exclude a known IP from results

MattQ
Explorer

I am returning query results that give a list of IPs on which an event has occurred. I want to create an alert to fire historically on the data if criteria is met HOWEVER I have a known IP address that will always meet the criteria (my IP). I would like to exclude this either from the results and then fire an event on the remaining results or set a custom alert condition to alert on an event EXCEPT if it is from my IP.

This should be simple. Just missing it

Tags (1)
0 Karma

mosman_splunk
Splunk Employee
Splunk Employee

you can list all your IP that you want to white lsit in CSV file then run your search againest that file

eg

tag=traffic NOT [|inputcsv kiristian_whitelist_IP.csv ]

good luck

0 Karma

chrisprangnell
Path Finder

can you share your search phrase please im trying to do similar thing.

0 Karma

sundareshr
Legend

@chrisprangnell Try this pseudo code

your base search | stats count by ip | search NOT [| inputlookup knowniplist.csv | table ip ] 
0 Karma

MattQ
Explorer

I actually did get this to work using NOT. I just needed to be more creative. Thanks

0 Karma

MattQ
Explorer

Normally this would work yes but the way I am manipulating the data I cant seem to make the NOT command fit. Is there a way to get results of A, C, F, G but exclude: F from my table results list?

0 Karma

kristian_kolb
Ultra Champion

Have you taken a look at the NOT operator? Or the != operator? Both could be used in your search to exclude results otherwise matching your search criteria.

/K

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...